How can I tell if ASL blocked something in the past?

If ASL is no longer blocking an IP, but you want to find out if it blocked it in the past you can check either the ASL GUI as explained in the article above, or you can also check the logs to see if an IP was blocked. To check the logs, run this command as root:

grep <IP> /var/ossec/logs/active-responses.log*

Example:

grep 1.2.3.4 /var/ossec/logs/active-responses.log*

Where 1.2.3.4 is the IP address you want to check. Keep in mind that if you have log rotation enabled, you may need to check the archived logs as well.

If you have compression enabled for your logs, you can do that with this command:

zgrep 1.2.3.4 /var/ossec/logs/active-responses.log*gz

If you do not have compression enabled for your logs, you can do that with this command:

grep 1.2.3.4 /var/ossec/logs/active-responses.log.*

You can also check your systems firewall at the system level if you are concerned that the shunning system may be corrupted or broken on your system by running this command:

iptables -L -n | grep 1.2.3.4

Where 1.2.3.4 is the IP address you want to check.

Note: If you have whitelisted an IP address, ASL will not shun the IP.